If the source IP address is unknown
and not reachable through the interface on which the packet was received, the packet is dropped by default.
Because the lookup relies on the presence of the Forwarding Information Base (FIB), this "look backward"
capability works only when Cisco Express Forwarding (CEF) is enabled on the router. CEF generates the FIB as
part of its operation.
Figure 7-9. Unicast Reverse Path Forwarding (uRPF) Strict Mode
The information in Figure 7-9 is taken from the Cisco security presentation on "Unicast Reverse Path
Forwarding."
[View full size image]
Note
Source Address must match the FIB and Adjacency Information in the CEF Table.
The uRPF enhances with the ACL logging capability by enabling reverse path forwarding (RPF) check in a passthrough
mode. In this mode, all RPF violations are logged using the ACL log-input feature. If a packet fails RPF
check, the ACL is checked to determine whether the packet should be dropped (using a deny ACL) or forwarded
(using a permit ACL). The ACL logging counter and match counter statistics are incremented to reflect statistics
for packets with spoofed IP addresses.
Configuring uRPF
Example 7-16 shows how to configure uRPF on an interface with the ACL logging feature.
Pages:
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394